What You’ll Achieve
- Find the exact list of commands actually submitted through Windows Run
- Tell the difference between “I pasted it” and “I ran it”
- Time needed: about 2 minutes
- Difficulty: Beginner
Experience note: Used this exact check while confirming whether a suspicious command had run on my own machine.
After nearly pasting a malicious ClickFix command into my own terminal, the question I actually needed answered wasn’t “is this dangerous.” I already knew that part. It was “did I already run it without realizing.” On a Mac, that answer lives in shell history. On Windows, if the delivery method was the Run dialog rather than PowerShell directly, it lives in a registry key almost nobody checks: RunMRU.
Before opening Registry Editor
- You are only viewing the RunMRU key, not editing the registry.
- Do not delete values just because they look unfamiliar.
- Take a screenshot or copy the suspicious command into a note before changing anything.
- If files are actively changing or encrypting, disconnect from Wi-Fi first and move to incident cleanup.
What RunMRU Actually Records
RunMRU stands for “Run - Most Recently Used.” Windows keeps this list so the Run dialog can autocomplete commands you’ve typed before. As a side effect, it also becomes a record of exactly what you’ve submitted, not just typed, through Win+R over time.
That distinction matters here. Pasting text into Run does nothing by itself. RunMRU only records a command once you’ve pressed Enter or clicked OK. If you’re trying to confirm whether something you pasted ever actually ran, this key gives a direct answer instead of a guess.
Step 1: Open the Registry Editor
Press Win+R, type regedit, and press Enter. Opening the Registry Editor to view this key is safe. The caution that applies to the registry is about editing or deleting values you don’t understand, not about looking at them.
Step 2: Navigate to the RunMRU Key
Paste this path into the address bar at the top of the Registry Editor window (yes, pasting into the Registry Editor’s own address bar is fine, it navigates rather than executes anything):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Where I Got Stuck:
The first time I looked at this key, the values are labeled a, b, c, and so on rather than anything obviously readable, and the order isn’t top to bottom the way you’d expect. The MRUList value at the bottom tells you the actual order, most recent letter first. Skip that step and you’ll misread which command was most recent.
Step 3: Read the Entries
Click through each lettered value. The data column shows the exact text that was submitted through Run, usually followed by \1 at the end, which you can ignore. Check the MRUList value first to know which letter represents the most recent entry, then work backward from there.
Look specifically for anything referencing powershell, cmd, curl, iwr, certutil, or a URL you don’t recognize. Ordinary use of Run tends to be short, familiar things like notepad, cmd, or a folder path. A long string with encoded text or a pipe symbol is not ordinary use.
Practical checklist
What to look for in RunMRU
Most Run history entries are boring. The suspicious ones usually stand out because they are long, encoded, or network-connected.
Normal-looking
- Short app names like notepad, calc, cmd, or regedit.
- Folder paths you recognize.
- Commands you remember intentionally opening.
Suspicious
- powershell or cmd followed by a long command.
- curl, iwr, certutil, or a URL you do not recognize.
- Encoded strings, pipe symbols, or hidden-window flags.
Next checks
- Check PowerShell history separately.
- Review startup apps and scheduled tasks.
- Run a full scan if you find a matching command.
Step 4: Check PowerShell History Separately If Needed
RunMRU only covers the Win+R dialog itself. If you’re not sure whether a command was pasted directly into an open PowerShell window instead, that has its own, separate history file:
Get-Content (Get-PSReadLineOption).HistorySavePath
This prints PowerShell’s command history directly, which will show a command whether it was typed or pasted, as long as it was actually submitted.
What Counts as Proof
Finding nothing matching in either RunMRU or PowerShell history is a strong sign the command was never submitted through those paths, especially if there are no suspicious startup items afterward. It is not a perfect forensic guarantee, but it is enough for most home checks. Finding an exact or close match means you should assume it ran and move to a full scan plus the checks in our virus symptom checklist. If the command itself is still visible somewhere, use the command-safety guide to decode and read it first.
Myth check
Run history myths
RunMRU is useful, but it is not a complete forensic timeline. Use it for the question it actually answers.
Myth
If I pasted it into Run, it will appear in RunMRU.
Reality
RunMRU records submitted commands, not text that was pasted and then closed without pressing Enter or OK.
GuardPick take
A missing entry is reassuring when you know Run was the only place involved.
Also check PowerShell history if a terminal window may have been used.
Myth
Registry Editor is dangerous to open.
Reality
Viewing a key is safe. Editing or deleting values without understanding them is the risky part.
GuardPick take
Read-only inspection is fine; registry cleanup is a different task.
Navigate to the key, read the values, and leave the rest alone.
Myth
No RunMRU entry proves the computer is clean.
Reality
It only suggests the command was not submitted through the Run dialog.
GuardPick take
Use it as one strong clue, not as the whole investigation.
Pair it with PowerShell history, startup checks, and a full scan if the risk is serious.


